CVE-2026-20874
Published: 13 January 2026
Summary
CVE-2026-20874 is a high-severity Race Condition (CWE-362) vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents unauthorized and unintended information transfer via shared system resources, which is the core mechanism of this race condition vulnerability in Windows Management Services.
Requires timely flaw remediation including patching the specific race condition vulnerability as detailed in the MSRC advisory.
Enforces least privilege to limit the scope and potential impact of local privilege escalation from low-privileged authorized accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local race condition in Windows Management Services directly enables local privilege escalation by an authorized low-privileged attacker (T1068).
NVD Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
Deeper analysisAI
CVE-2026-20874 is a race condition vulnerability (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) in Windows Management Services, also associated with CWE-416. Published on January 13, 2026, it enables an authorized attacker to elevate privileges locally. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high impact with local attack vector, high attack complexity, low privileges required, no user interaction, and changed scope.
A local attacker with low-level authorized access (PR:L) can exploit this race condition through concurrent execution on a shared resource lacking proper synchronization. Exploitation requires physical or logical local access (AV:L) and high complexity (AC:H), but proceeds without user interaction (UI:N). Successful attacks result in privilege escalation, yielding high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within a changed scope (S:C).
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20874 provides details on affected versions, patches, and mitigation guidance for this vulnerability.
Details
- CWE(s)